Home Depot Security Breach: How Brian Krebs Broke The Story Last Week

A Home Depot location is seen in Niles, Illinois. The home improvement retailer revealed a big security breach a week after investigative reporter Brian Krebs reported it. Photo: Reuters/Jim Young

When Home Depot Inc. (NYSE:HD) announced Tuesday that hackers had breached its security systems in April and stolen customers' debit card and credit card information over several months, it was only confirming what Brian Krebs had reported a week earlier.

The former Washington Post reporter-turned-cybercrime-blogger had used his connections to uncover a massive black market of customer information that proved the breach long before the company admitted to it.

“Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground,” wrote the journalist on his Krebs on Security blog last Tuesday. He described how that very morning, a black market online store -- Rescator[dot]cc -- had “moved two massive new batches of stolen cards onto the market.”

Six days later, Home Depot confirmed publicly it had experienced a credit and debit card data breach at locations in Canada and the United States.

“While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised,” Home Depot said in its statement.

However, Krebs reported that “multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.”

It’s not the first time his reporting has conflicted with an official company line. It was Krebs who first reported the massive data breach at Target Corp. (NYSE:TGT) stores last year that affected at least 40 million customers and led to the resignation of the chain's CEO amid congressional probes and ongoing litigation.

Krebs, 41, is a former reporter who ran the Post's Security Fix blog from 2005 to 2009. But he wasn’t exactly a specialist in the field when he first started to get involved more than a decade ago.

“It wasn’t until 2001 -- when my entire home network was overrun by a Chinese hacking group -- that I became intensely interested in computer security,” he wrote in the “About the Author” section of his website.

“After that incident, I decided to learn as much as I could about computer and Internet security, and read most everything on the subject that I could get my hands on at the time. It’s an obsession that hasn’t let up.”

But cracking the hacker world wasn’t easy.

“Some of these communities, you don’t just say, ‘Hey, what’s up, guys?'” he told Businessweek, adding that it took quite a while to learn hacker slang, tricks of the trade and basic Russian-language skills, since most of the data he tracks originates in that country.

His work has earned him a lot of attention, as well as the wrath of hackers. At one point, Krebs had a police SWAT team at his door, after his enemies called in a false report of a murder at his residence,reported Poynter.

But his in-depth knowledge has earned him a reputation in the industry.

“Many of us in the industry go to him to help us understand what the Eastern European criminals are doing, how they work with each other and who is doing what to whom,” Rodney Joffe, senior vice president at Internet infrastructure firm Neustar, told the New York Times. “I would put him up against the best threat-intelligence analyst.”